Bug 1316826 - Test case for strict-dynamic blocks inline event handlers. r=dveditz a=dveditz
authorFrederik Braun <fbraun+gh@mozilla.com>
Mon, 21 Nov 2016 15:13:29 -0500
changeset 444305 d49013ebf0df7f07ecb12467f193583272bc4a00
parent 444304 706ad7566a0838290157ad85b7458fda875190e2
child 444306 08001161f0d1ce3bd8f9cbeba4a256659a5866e7
push id37233
push usermartin.thomson@gmail.com
push dateMon, 28 Nov 2016 00:01:40 +0000
reviewersdveditz, dveditz
bugs1316826
milestone52.0a2
Bug 1316826 - Test case for strict-dynamic blocks inline event handlers. r=dveditz a=dveditz MozReview-Commit-ID: 4TS4pUNeIS1
dom/security/test/csp/file_strict_dynamic_script_events.html
dom/security/test/csp/file_strict_dynamic_script_events_xbl.html
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_strict_dynamic.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_strict_dynamic_script_events.html
@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1316826 - 'strict-dynamic' blocking DOM event handlers</title>
+</head>
+<body>
+<div id="testdiv">blocked</div>
+
+ <img src='/nonexisting.jpg'
+      onerror='document.getElementById("testdiv").innerHTML = "allowed";'
+      style='display:none'>
+
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_strict_dynamic_script_events_xbl.html
@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1316826 - 'strict-dynamic' blocking DOM event handlers</title>
+</head>
+<body>
+<div id="testdiv">blocked</div>
+
+<marquee onstart='document.getElementById("testdiv").innerHTML = "allowed";'>
+  Bug 1316826
+</marquee>
+
+</body>
+</html>
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -184,16 +184,18 @@ support-files =
   file_sandbox_11.html
   file_sandbox_12.html
   file_require_sri_meta.sjs
   file_require_sri_meta.js
   file_sendbeacon.html
   file_upgrade_insecure_docwrite_iframe.sjs
   file_data-uri_blocked.html
   file_data-uri_blocked.html^headers^
+  file_strict_dynamic_script_events.html
+  file_strict_dynamic_script_events_xbl.html
   file_strict_dynamic_script_inline.html
   file_strict_dynamic_script_extern.html
   file_strict_dynamic.js
   file_strict_dynamic_parser_inserted_doc_write.html
   file_strict_dynamic_parser_inserted_doc_write_correct_nonce.html
   file_strict_dynamic_non_parser_inserted.html
   file_strict_dynamic_non_parser_inserted_inline.html
   file_strict_dynamic_unsafe_eval.html
--- a/dom/security/test/csp/test_strict_dynamic.html
+++ b/dom/security/test/csp/test_strict_dynamic.html
@@ -67,16 +67,29 @@ var tests = [
     policy: "script-src 'strict-dynamic' 'nonce-bar' 'unsafe-inline' http: http://example.com"
   },
   {
     desc: "strict-dynamic with no 'nonce-' should be blocked",
     result: "blocked",
     file: "file_strict_dynamic_script_inline.html",
     policy: "script-src 'strict-dynamic'"
   },
+  {
+    desc: "strict-dynamic with DOM events should be blocked",
+    result: "blocked",
+    file: "file_strict_dynamic_script_events.html",
+    policy: "script-src 'strict-dynamic' 'nonce-foo'"
+  },
+  {
+    // marquee is a special snowflake. Extra test for xbl things.
+    desc: "strict-dynamic with DOM events should be blocked (XBL)",
+    result: "blocked",
+    file: "file_strict_dynamic_script_events_xbl.html",
+    policy: "script-src 'strict-dynamic' 'nonce-foo'"
+  }
 ];
 
 var counter = 0;
 var curTest;
 
 function loadNextTest() {
   if (counter == tests.length) {
     SimpleTest.finish();